Managing your organization’s data securely is a full-time job (sometimes multiple full-time jobs, depending on the size of your organization!). However, if you’re a non-technical executive trying to understand the different requirements for data security to pass on to your IT team, then it can be challenging to ensure that all of your bases are covered.

Fortunately, with Telcion’s deep security expertise we have broken down data security into five easy questions that will help you identify where your organization needs to address potential data security concerns.

Where is your data being stored?

Increasingly, organizations are moving to the cloud for their data storage. If you must store particularly sensitive information, such as documents related to government defense contracts, you will likely need to stick with a dedicated on premises server for security reasons. However, most organizations can use cloud storage safely and efficiently if the proper precautions are taken.

Here are some questions to ask about the cloud services you are using or considering:

Where are the cloud provider’s servers physically located?
What are the requirements of your cybersecurity insurance (we probably have a blog about this)?
What are the responsibilities of the cloud provider in the event of a cybersecurity incident?
How are you going to protect traffic going to and from the cloud provider?

Who has access to your data?

It’s really important that data is only available to the people who need it. This means that not only should people outside your organization not be able to access your data, but also that not everyone within your organization gets to have access to the same data. As a general rule of thumb, employees should only have access to the data they need to carry out their job duties.

Doing an audit of your data can help you to determine who has access to what can help you identify possible vulnerabilities in your organization that can be exploited by attackers.

Don’t forget physical security, too! For instance, if important or sensitive information is accessible through a receptionist’s computer, then it is important to ensure that the general public cannot access the front desk. Additionally, access to your organization’s data center should be restricted to select IT employees only.

How are people accessing your data?

Not all data access methods are created equal. For instance, it is generally easier to protect data when it is all being accessed from the same place, like a central office. However, if your organization has a lot of sites and/or remote/hybrid employees then your network immediately becomes more decentralized and harder to protect.

Something else to consider are the devices that data is being accessed from. Similarly to physical location, the more devices you have and the more variety of those devices the more potential security factors you will have to keep track of. A particularly relevant factor for many businesses is the prevalence of IoT devices. These devices, such as medical equipment, cameras, environmental sensors, and more, can be really useful and add a lot of value to the functioning of your organization. However, the more IoT devices are introduced the greater the scope for potential security failure. Just like you need to ensure that only the right people have access to your organization’s data, you also need to make sure that IoT devices only have access to the information they need to operate.

What protections have been placed on your data?

There are lots of different ways to protect your organization’s data. Generally, a good rule of thumb is that you want to make sure you have protections on every layer of your organization’s “stack.”

The “stack” refers to a model in computer networking that pictures the different spheres of computing and data transfer stacked on top of each other in layers like a cake. The top layer is the web or application layer. This includes your organization’s website and the interfaces of the different software tools you use to conduct business. The bottom layer is the actual hardware used to keep your organization running: switches, firewalls, and end user devices like laptops. Everything in between is the rest of the technology and systems that keep your technology running. You want to make sure that each layer of your organization’s stack is protected to provide comprehensive coverage against potential threats.

What regulatory qualifications do you have to meet regarding data security?

Different organizations have different regulatory requirements for data security. For instance, if you are a healthcare organization then you have to abide by data security rules outlined by HIPAA in order to maintain compliance. Additionally, cybersecurity insurance policies will have outlined the security standards your organization needs to maintain in order to be eligible to make claims. It’s important to understand what requirements have been placed upon your organization by outside entities in order to maintain compliance and data security best practices.

If these five questions generated more questions, then please reach out to info@telcion.com to talk to one of our security experts about ways you can protect your organization.

Read more blog posts below…

Featured